Cyber defenders hone skills in international wargame

The largest and most complex international network defense exercise was held April 24-28. For Locked Shields 2017, which featured 800 participants from 25 nations, cyber defenders were tasked with maintaining the services and networks of a fictional military air base in the face of attacks on its electric power grid, drones, military command and control systems and other operational infrastructure. Some 3,000 virtual systems and 2,500 attacks were included in all.

NATO’s Cooperative Cyber Defense Centre of Excellence (CCD CoE) in Tallinn, Estonia, organized the event, and played the part of offensive red teams. The defending blue teams had secure online access to the exercise networks from their home bases.

By focusing on realistic and cutting-edge technologies, networks and attack methods, participants were able to hone their cybersecurity skills while handling multiple incidents, solving forensic challenges and responding to legal and strategic communications and unexpected changes to the scenario.

“The blue teams are getting better every year, making the exercise also more demanding for the core planning team. This year we included more specialized systems to offer the teams new challenges,” said Thomas Svensson, chief security officer at Atsec Information Security and deputy dead of the white team, the core planning team of the exercise. “To be successful in Locked Shields, the competing teams need to master both technical and soft skills, meaning they must be able to handle media and legal requests while solving cyber incidents.”

The attacks began with fake news reports of drones using nerve gas. The virtual airbase defended its systems controlling power, fuel and command and control from DDoS attacks, and probes into the airfield operating system from the red team.

“These are real systems taken from the field,” said Raimo Peterson, technology branch chief at the CoE told the Irish Times. “The same power grid system is used in energy transmission companies around the world. The drone uses the same system, software and ground station that is used in military systems around the world.”

In charge of red-team coordination was West Point graduate Mehis Hakkaja, who is now CEO of the Estonian firm Clarified Security.

“We take off ‘fingers’ and ‘limbs’ first. We don’t go for the ‘heart’ straight away,” Hakkaja told the Irish Times. “So we don’t hit a firewall that would let all the [internet] traffic through, but we might chop down a web server or a few workstations.”

The team from Czech Republic won the exercise and also took home the prize for the scenario inject. Estonia came in second, while the team from NATO’s Computer Incident Response Capability took third place and scored the highest in the legal challenges. The German team came out on top of forensic challenges while the team from the United Kingdom achieved the highest scores in handling the strategic communication challenges, officials said.

“The winning team demonstrated that good tactics and stable performance in all categories can lead to best overall scores in the end,” said Aare Reintam, technical exercise director at NATO CCD COE. “The experts of the Czech team performed also very well in the strategic track that was a new addition this year.”

The U.S. cyber team came in twelfth, a significant improvement of last year’s last place finish.

“It was a pure chaos-type environment,” Capt. Sean Ruddy told Wired about last year’s exercise. “You had a red team advancing through your network on six or seven different fronts. You don’t get any breaks. It was abusive.”

So Ruddy and his squad -- based at Fort Gordon, Ga., but operating out of Wiesbaden, Germany -- beefed up the team and added two Dutch observers and parried the assaults. Instead of shutting down the networks to prevent all intrusions, the team decided to keep them running, at the risk of a breach. The red team got in through backdoors and took control of some systems.

“This is simply NATO members getting together and testing each others’ defensive capabilities,” Ruddy told Wired. “We have chat rooms, and we can say, ‘Hey, I’m seeing this on this machine.’ It helps to build capabilities across multiple nations.”

“In the end all the teams have gained a valuable training experience, which is the ultimate goal of this defensive exercise,” Reintam said.

Locked Shields 2017 is organized in cooperation with the Estonian Defence Forces, the Finnish Defence Forces, the Swedish Defence University, the British Joint Army, the United States European Command, Air Operations COE and Tallinn University of Technology.

Over a career spent in tech media, Miller has worked in editorial, print production and online, starting on the copy desk at IDG’s ComputerWorld, moving to print production for Federal Computer Week and later helping launch websites and email newsletter delivery for FCW. After a turn at Virginia’s Center for Innovative Technology, where she worked to promote technology-based economic development, she rejoined what was to become 1105 Media in 2004, eventually managing content and production for all the company's government-focused websites. Miller shifted back to editorial in 2012, when she began working with GCN.

Miller has a BA from West Chester University and an MA in English from the University of Delaware.